Skip to content

Zero Trust Architecture and 5G security

  • by

Although many have long understood the importance of mobile networks for society, the Covid-19 pandemic really highlighted how digital communication – enabled by mobile networks – is the backbone of our private, societal and professional lives. We have seen that the growing importance of mobile networks has also increased demands on security and reliability, and these demands are not restricted just to mobile networks, they are applicable to the entire ICT industry.

To guide our conversation, there are three important and defining documents we should bring up and will mention throughout this post:

Right now, there a lot of talk around Zero Trust and its importance. But instead of trying to capture everybody’s favorite angle on Zero Trust, we contemplate what it’s really about and what it means for telecommunications? So, first:

What is Zero Trust Architecture?

Sometimes known as perimeterless security, the Zero Trust security model is an approach to the design and implementation of IT/ICT systems, with the main concept to “never trust, always verify”. This means that entities shouldn’t be trusted by default, regardless of their connection to a perceived walled garden such as a corporate network or enterprise setting, even if they were previously verified. Zero Trust Architecture dictates mutual authentication, including checking the identity and integrity of entities without respect to location, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication.

When diving deeper into the zero-trust conversation, it’s easy that one doesn’t see the forest for the trees when reading all there is to on the subject. But when we look more closely at 5G enterprise use, it becomes clear that from a security and zero trust point of view, 5G brings many functions that enterprises require to build their security according to a Zero Trust Architecture. Of course, enterprise security demands can be very specific, and use-case driven, but 5G systems bring many of the baseline security functions for implementing a Zero Trust Architecture.

To evaluate this, let’s look first at Zero Trust, then 5G, and finally how all that comes together for enterprises that want to use 5G.

Why Zero Trust

The heterogeneous nature of modern ICT infrastructure is making it increasingly difficult to protect ICT resources with conventional approaches. By starting from the assumption that an attacker may already be inside the network, the zero trust model enhances security by demanding all interaction between resources only happens after secure authorization.

The discussion on Zero Trust has its roots in the security thinking around enterprise solutions. This connection to enterprise is also highlighted in the US Executive Order stating that “The Federal Government must adopt security best practices… While there is a focus on data and services, the concept of zero trust can and should be expanded to include all enterprise assets such as devices and infrastructure components.” Many security specialists recognize that behind Zero Trust lies the understanding that robust security requires a defense-in-depth thinking and that systems segmentation would not put all assets at risk at the same time.

An operative definition of Zero Trust and Zero Trust Architecture by NIST:

Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

Zero Trust Architecture is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

Source: NIST Zero Trust Architecture, NIST.SP.800-207

Zero Trust in a network infrastructure context

Now that we’ve talked at length about what Zero Trust Architecture is, let’s look at it from a telco vendor perspective. Ericsson’s approach is to apply Zero Trust principles to telecommunications networks and for the different use cases these networks are used for. We have chosen to use the terminology and tenets defined by the US National Institute of Standards and Technology (NIST) SP 800-207, referenced above. In our approach, zero trust architecture is basically a holistic active defense strategy for managing risk, complementing established state-of-the-art information security practices. This holistic view also means that network products will have to follow zero trust architecture in the same spirit as NIST describes it in their document.

Specifically, when reading about descriptions of detailed security functions coupled to zero trust, we see that these are functions we at Ericsson have in our baseline secure requirements already for many years. The new perspective with Zero Trust is to have a holistic view and in-depth approach of the security principles and have control both vertically and horizontally. It is also there where the power of the zero trust concept lies.

Logically, this brings us directly to the question how does the 5G architecture fit into a Zero Trust Architecture? To go deeper into this question, one has to understand how 5G has been developed from previous generations of mobile networks, particularly 3G and 4G. Practically, this development was a collective effort in the 3GPP organization by device and infrastructure vendors as well as Mobile Network Operators (MNOs). A collective effort that already had from the start a holistic view not only on functionality but also security.

Zero Trust models in 5G networks

In building mobile networks, we can see that the Zero Trust principles that today are defined in the NIST document already were applied in the standardization of the 3G and 4G networks. In 4G networks, we started with a separation of control and user-planes transport using cryptographic means and strong identities were introduced and utilized early for authentication. We pushed this further in 5G as 5G had the ambition to support use cases that are mission critical. At the same time implementation technologies shifted which also changed the threat landscape and means to address the overall network security requirements.

Most importantly 5G as standardized by 3GPP gives MNOs a standardized and well-defined way to deploy zero trust functions like authentication and authorization of API usage and protected communication between and to the 5G network functions using HTTPS, (D)TLS or IPsec. Details on how 5G has adopted zero trust principles are very well explained in the recent Ericsson Technical Review article “Zero trust and 5G – Realizing zero trust in networks”.

The standardization work to make 5G even more secure for more mission critical use cases is ongoing as part of the coming release 18, most notably by the SA WG6 and SA WG3 teams in 3GPP that have the holistic view on security that is in fact a plan for realizing zero trust.

Figure 1: In 5G networks cryptographic identities are used when devices and services connect to perform authentication and authorization in the Service Based Architecture (SBA) as specified in 3GPP TS 23.501

The ENISA report summarizes the security approaches and solutions 3GPP has standardized into the 5G systems, and document identifies the use of the zero trust model. Furthermore, we know ENISA is working on a new report that describes the security aspects of implementing 5G using the ETSI NFV specifications and will contain best practices. Hence, the 3GPP standardization work, the work on assurance schemes in the telecom industry like the 3GPP Security Assurance Specifications (SCAS) and GSMA NESAS, and the ENISA best practices, have zero trust thinking in them.

5G matches Enterprise security needs

We believe the US Executive Order is right when putting focus not only on governmental but also private enterprise operations. For MNOs, such a focus has direct meaning but it also links further to the enterprise solutions that these operators offer. Particularly, entire ICT systems that enterprises will use a Zero Trust Architecture, which means they must have a plan to implement the Zero Trust principles. Consequently, that also has to hold for the network platform.

The beauty is that with 5G Service Based Architecture, the implementation technology of the 5G network functions is basically the same as in the IT industry in general. In both worlds, we see extensive use of cloud computing technologies, virtualization and container-based products. Thus, 5G networks and Enterprise ICT exist in the same implementation ecosystem and hence there are strong factual arguments to build Enterprise ICT directly using 5G network functions. For example, using a setup as in Figure 2, different secure realizations are easily obtained via orchestration:

  5G network and Enterprise existing in the same ecosystem.

Figure 2: 5G network and Enterprise existing in the same ecosystem.

From a security and zero trust point of view, 5G brings many functions that enterprises require to build their security according to a Zero Trust Architecture. Of course, enterprise security demands can be very specific and use-case driven, but the 5G systems bring many of the baseline security functions for implementing a Zero Trust Architecture.

Summarizing our reflections, we really see how the consistent work on security has led to the potential of 5G as a network for enterprise use. 5G provides enterprises with a network platform for building their applications on zero trust principles, just as stipulated in the Executive Order and in the ENISA best practices. It’s a secure match indeed.

Want to know more?

Check out our approach to product and solution security.
Read more about Ericsson and security.

Read more about security research on our future network security page.

Leave a Reply

Your email address will not be published. Required fields are marked *